Every year, the FBI’s Internet Crime Complaint Center receives tens of thousands of tech support fraud reports. In 2023 alone, Americans lost over $924 million to tech support scams — a figure that keeps climbing. These scams don’t rely on sophisticated exploits. They rely on panic.
What Is Scareware?
Scareware is malicious or deceptive software designed to frighten users into believing their computer is infected, compromised, or failing. The “scare” does the heavy lifting. Once a user is alarmed enough, they make poor decisions: calling a fraudulent number, granting remote access, or purchasing fake software.
Scareware appears in several forms:
- Fake antivirus pop-ups that mimic Windows Defender or McAfee alerts
- Browser lock screens that freeze the tab and play looping audio warnings
- Rogue security software that actually installs itself and demands payment to “remove” threats it invented
- Malvertising — legitimate websites serving malicious ads that trigger scareware overlays
The technical sophistication is often minimal. Many scareware campaigns use JavaScript to fill the browser with a full-screen overlay, disable certain keyboard shortcuts, and repeatedly trigger the browser’s beforeunload dialog to trap users on the page.
The Microsoft Impersonation Playbook
One of the most common tech support scam variants impersonates Microsoft. The anatomy of an attack typically follows this pattern:
-
Trigger: User visits a compromised or malicious site. A full-screen pop-up appears mimicking a Windows error screen, complete with the Microsoft logo, a fake error code (e.g.,
0x80073b01), and a phone number. -
Phone call: The victim calls the number and reaches a scammer posing as “Microsoft Support” or “Windows Technical Department.” The scammer speaks confidently and uses technical-sounding language.
-
Remote access request: The scammer asks the victim to install a legitimate remote access tool — commonly AnyDesk, TeamViewer, or UltraViewer — claiming they need to “diagnose” the problem.
-
Fake diagnostics: Once connected, the scammer runs built-in Windows tools like
eventvwr.msc(Event Viewer) ortree C:\to display normal system output, then claims these are signs of critical infections or hacking activity. Event Viewer always shows some warnings — scammers exploit this. -
Payment: The scammer demands payment — often $200–$500 — via gift cards, wire transfer, or cryptocurrency. Some go further and attempt to access banking websites or install persistent malware before disconnecting.
Microsoft never proactively contacts users about computer problems. This is not a policy that changes. Any unsolicited contact claiming to be Microsoft support is fraudulent.
Browser Lock Screen Mechanics
Browser lock screens are particularly effective because they appear to “freeze” the computer. In reality, only the browser tab is affected. The technique typically works like this:
// Simplified scareware lock screen logic
window.onbeforeunload = function() { return "WARNING: Do not close!"; };
document.addEventListener('keydown', function(e) {
if (e.key === 'F11' || e.altKey) e.preventDefault();
});
document.documentElement.requestFullscreen();
The page enters fullscreen mode, suppresses common escape shortcuts, and loops an audio warning. To an inexperienced user, this looks like the entire system is locked.
Escape techniques:
- Press
F11to exit fullscreen (often still works) - Use
Ctrl+WorCtrl+F4to close the tab - Open Task Manager (
Ctrl+Shift+Esc) and end the browser process - On Mac, use
Cmd+Option+Escto force-quit the browser
Remote Access Tool Abuse
Legitimate remote access tools like AnyDesk and TeamViewer are dual-use. When scammers gain access through these tools, they can:
- Browse files and steal documents, photos, or credentials
- Open banking sites and request fraudulent transfers
- Install backdoors or keyloggers for persistent access
- Lock users out by changing account passwords
AnyDesk and TeamViewer have both implemented scam detection features, including warnings when connections come from known scam infrastructure. However, scammers frequently pivot to lesser-known tools to avoid these protections.
Red Flags at a Glance
| Warning Sign | What It Means |
|---|---|
| Unsolicited phone call from “Microsoft” | Always a scam |
| Pop-up with phone number | Never call it |
| Request to install remote access software | Hang up immediately |
| Payment requested via gift cards | Definitive scam indicator |
| Urgency and fear language | Classic social engineering |
| ”Error codes” on screen | Normal Windows output being weaponized |
How to Protect Yourself and Others
For individuals:
- Keep browsers and extensions updated; many scareware sites exploit outdated JavaScript engines
- Use an ad blocker (uBlock Origin) to prevent malvertising
- Educate elderly family members — they are disproportionately targeted
- Never purchase gift cards as payment for any technical service
For IT administrators:
- Block known tech support scam domains via DNS filtering (Cisco Umbrella, Pi-hole)
- Disable or control installation of unapproved remote access tools via application allowlisting
- Train users to recognize scam tactics with simulated scenarios
If you’ve already been scammed:
- Disconnect from the internet immediately
- Run a legitimate antivirus scan (Malwarebytes, Windows Defender)
- Change all passwords from a separate, clean device
- Contact your bank if financial information was accessed
- Report to the FTC at reportfraud.ftc.gov and the FBI’s IC3 at ic3.gov
Scareware succeeds because it manufactures urgency. The antidote is knowing, in advance, that these alerts are fake — and having a practiced response ready before panic sets in.